Security

October 17, 2018

A new round of phishing attacks have hit many of our mailboxes over the last 24hrs. The goal of these messages is to dupe our staff and students into providing their login credentials.

We would like to remind all staff and students once again to be aware of the dangers of clicking links within email messages, the source of which you are unsure of. In particular, messages which ask you to login and provide your username and password (or indeed any other personal information) should be treated with caution. More information on how to identify and report such messages can be found at the url below:

January 19, 2018

We’re all at risk from phishing scams, but there are things we can do to reduce the risk.

What we did

In December we used a respected cyber security company called Khipu Networks to create a simulated phishing campaign. Every member of staff, including student staff, received an email over the course of a day. The email pretended to be from the IT Helpdesk. Although we ensured that the phish looked realistic in terms of the fonts, logos, signature and language used there were some subtle clues to it being a phish. The email address it came from had a hyphen where a dot should be, and the web address, if you did a mouse over the link, was not one of ours (although it looked very much like it).

Anyone clicking on the link was taken to a web form and invited to enter their credentials. At this stage the biggest hint that this was a phish is that IT Helpdesk would never ask staff to share usernames and passwords in this way, and nor should any other bona fide organisation. Anyone submitting the form (whether or not they put in any credentials or their real credentials) then received a further email explaining that they had been phished and asking them to watch a short online video, with tips on how to avoid being phished, and take a quiz.

Why we did it

Phishing is the main way that malware, including ransomware, gets into an organisation. We’ve had recent phishing attacks that have led to ransomware and to individuals staff members having their email accounts compromised and people using those accounts to attempt to divert salary payments (in both cases processes have been changed to prevent future damage). Our main line of defence is the awareness of our users. We’ve run two awareness campaigns about the dangers of phishing this year and wanted to see how well they had worked and to assess whether we need more campaigns, more training or a combination of both.

What we didn’t do

We didn’t alert staff beforehand that this was happening in order to maximise the reach. That included IT Services staff, which is why the responses you received if you called were muddled in some instances. We bypassed our normal phishing procedure: we didn’t block emails, we didn’t allow mailscanner to flag mail (although it did in some instances), and we didn’t put out any service alerts.

What happened

We had unfortunate timing in that a real phishing and spam attack that came through a compromised Essex email account happened on the same day. This meant that there were some actual phishing emails in the system on the day, and, more importantly, that the follow-up email (received when anyone entered their Essex details into the fake website) came up to several hours after they hit submit, instead of within a few seconds.

The Helpdesk received a very high number of calls and emails. Various individuals used informal routes to alert colleagues, including email and email lists (Small-Ads). This was all useful as it means that there is a bit of a safety net in place that supports those who might not spot a phish for themselves.

What we learned

Although the number of people who were fooled by the phish was reasonably low – and certainly lower than the 32% reported elsewhere when other institutions have carried out this exercise – it was still substantially higher than the 1% we aspire to. It only takes one successful phish to cause serious problems. Although many people are aware of the fake phish, awareness of our most recent phishing campaign is still low.

We’ve also seen that the IT Helpdesk doesn’t the resources necessary to cope with such an influx of queries, and we’re looking into ways to ensure better support in future.

Looking at the number of calls to the Helpdesk against the numbers when a phishing attack is dealt with in the usual way (blocking emails, mail scanner, service alerts) we’ve been able to demonstrate that our usual countermeasures dramatically reduce the amount of phishing mails coming in and the numbers of people falling prey to phishing attacks.

What’s next

We’re looking at ways to provide better levels of support to the IT Helpdesk.

We will send simulated phishing emails to students over a period of three or four days, yet to be confirmed, in the new year.

We may run a further simulated phishing test for staff at some stage without warning.

What you can do
We will continue to be hit with real phishing attacks, so do please:

January 4, 2018

Work to patch all University-owned computers, servers and infrastructure is proceeding well. Over half of the University’s digital estate has now been patched.

We haven’t observed any problems with the patches so far, however, if you do experience any problems with your computer or device that you think may be related to recent software updates, contact the IT Helpdesk.

Patching work continues.

Update 09/01/2018

Work to patch and test core University systems is ongoing.

Our advice for users with personal devices and computers is to check for updates and install them.

Original alert 04/01/2018

As you may or may not have heard in the news recently, researchers have discovered two major bugs in computer chips that could allow hackers to steal sensitive data.

One flaw dubbed ‘Spectre’ was found in chips made by Intel, AMD and ARM. The other, known as ‘Meltdown’ affects Intel-made chips alone.

October 17, 2017

You may have heard about the Krack wifi security flaw in the news this week. Researchers have discovered a flaw in the WPA2 security protocol that may mean snoopers could steal your data when you connect to a wifi network.

So what does Krack mean for you?

There is no immediate threat to the University or to you, when you are using our wifi network.

If you use a mobile device then, as ever, it’s best to ensure that you keep it fully updated to ensure you have the latest security patches to protect it. This is best practice as set out in our mobile device guidelines.

IT Services will continue to monitor the situation and provide further advice as necessary.

As with any other IT concerns, report any unexpected behaviour to the IT Helpdesk, and they will advise you.

September 1, 2017

The most recent phishing attempt is an email pretending to be the Student Loans Company which asks you to update your student finance login security details.

This is a reminder to all staff and students to be vigilant when dealing with suspicious emails.

Before acting, always check for the following:

Does the email use your name? Phishing emails typically use terms like ‘Dear Customer’ or ‘Dear Student’ as they do not have your personal details.

Does the subject start with {?SPAM?}. If it does, this means our spam detector has found something in the email that could be suspicious.

Does the link look suspicious? Phishers often mask links to make them appear genuine. If you’re asked to click a link to a website, hover your mouse over the link to see where it’s really linked to. If it doesn’t match the link in the email, or if it looks suspicious, don’t click it.

If you think you’ve received a phishing email, stay calm. Don’t reply to it, just delete it. There’s no risk in simply receiving a phishing email.

You can report it by forwarding it to phishing@essex.ac.uk – this will help to stop others receiving it.